One of the most important of these improvements is the Token Binding family of specifications which is now well on its way towards final ratification at the Internet Engineering Task Force (IETF). (If you want to learn more about token binding, watch this great presentation by Brian Campbell.)

At Microsoft, we believe that the Token Binding can greatly improve the security of both enterprise and consumer scenarios by making high identity and authentication assurance broadly and simply accessible to developers around the world.

Given how positive we believe this impact can be, we have been and continue to be deeply committed to working with the community for creation and adoption of the token binding family of specifications.

Now that the specifications are close to ratification, I’d like to issue two calls to action:

The cool thing about our design is that you can store the token binding keys in Key Guard, which is a hypervisor (VSM) key isolation service. Meaning the keys are protected by another secure VM on your host.

All of this hinges on browser support. Edge (and IE even) has supported this on Windows 10 since the early Threshold days. Our HTTP stack too — that means any app using standard Windows networking and HTTP can benefit.

As a developer you might wonder, so what? Well, if you support token binding, you immediately benefit from platform protection of session cookies, access tokens, refresh tokens, etc. This reduces the impact from XSS, open redirects, malware on box, etc.

First, it's a roundtrip. That means no 0-RTT. Second, you can't share cookies/tokens. This is the whole point.Third, proxies are assholes. They either don't understand and break, or strip token binding. Grrrrrrr.

And there are ways you *can't* guarantee this sort of protection. WebCrypto was proposed, but besides not being transparent to the developer (who now has to write crypto-related code), it relies on code that can be executed by an attacker. Whoops.

Anyway, thanks for reading through the ramblings of your favorite token binding PM. There's a thread going on within the Google camp about removing token binding from chrome. I hope they don't. Let them know if you think it should stay. https://t.co/mReD7pnFNr

Author Spotlight

Steve Syfuhs is a security software builder. He has spent the last decade building secure systems and is currently working at Microsoft as a Windows Identity Program Manager in OS Security. He was a Microsoft Developer Security MVP between 2011 - 2018.